the people frrm ubuntu pointed me to this bug.

enabling ssl3 in the server with this orders served as a workaround:

ldapmodify -D "cn=directory manager" -W -p 389 -h localhost -x

dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on


but the client doesn't join completly the domain because in the system there is no system wide nss database:

New SSSD config will be created.
root : INFO New SSSD config will be created
Configured /etc/sssd/sssd.conf
root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=certutil: function failed: security library: bad database.

Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1292, in <module>
  File "/usr/sbin/ipa-client-install", line 1279, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1124, in install
run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"]) File "/usr/lib/python2.7/dist-packages/ipapython/", line 273, in run
    raise CalledProcessError(p.returncode, args)
subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned non-zero exit status 255

It can create it with this commands:
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb

but asks for a password. there are some obscure references about using a password file called pwdfile.txt that resides in the server but I'm not sure with what to do now. perhaps the password must be blank. any idea?


Al 11/05/12 16:40, En/na pasqual milvaques ha escrit:
I'have download and compiled some versions of gnutls and this is the result:
gnutls-2.8.5: works
gnutls-2.12.19: fail
gnutls-3.0.19: fail

this must affect distributions in which ldaps connections are based in gnutls (I only know debian and ubuntu).

the problem can be tested with this command:
gnutls-cli -d 4 -p 636

in you have a problematic gnutls version the command would end with these lines:
|<3>| HSK[0x9bb40d0]: CLIENT HELLO was sent [151 bytes]
|<4>| REC[0x9bb40d0]: Sending Packet[0] Handshake(22) with length: 151
|<4>| REC[0x9bb40d0]: Sent Packet[1] Handshake(22) with length: 156
|<2>| ASSERT: gnutls_buffers.c:640
|<2>| ASSERT: gnutls_record.c:969
|<2>| ASSERT: gnutls_handshake.c:2762
*** Fatal error: A TLS packet with unexpected length was received.
|<4>| REC: Sending Alert[2|22] - Record overflow
|<4>| REC[0x9bb40d0]: Sending Packet[1] Alert(21) with length: 2
|<4>| REC[0x9bb40d0]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.
|<4>| REC[0x9bb40d0]: Epoch #0 freed
|<4>| REC[0x9bb40d0]: Epoch #1 freed

any idea in how to make this work?

Al 11/05/12 13:16, En/na pasqual milvaques ha escrit:
I'm trying to join an ubuntu 12.04 machine to freeipa domain installed in a centos 6.2 machine and it seems there is some problem with the tls negotiacion. ubuntu 12.04 uses gnutls instead of openssl so the problem could be there but I don't know how to solve it. with the ldapsearch command I can also reproduce the fail

I have opened this ubuntu bug as freeipa now has a native client package:

any idea?

this is the log of the operation:

pasqual@ubuntuprovesfreeipa:~$ sudo ipa-client-install -d --enable-dns-updates
[sudo] password for pasqual:
root : DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None}
root : DEBUG missing options might be asked for interactively later

root : DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' root : DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
root : DEBUG [ipadnssearchldap(]
root : DEBUG [ipadnssearchldap(]
root : DEBUG [ipadnssearchldap(es)]
root : DEBUG [ipadnssearchldap(]
root : DEBUG [ipadnssearchldap(]
root : DEBUG [ipadnssearchldap(es)]
root : DEBUG Domain not found
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex:
root : DEBUG will use domain:

root : DEBUG [ipadnssearchldap]
root : DEBUG IPA Server not found
DNS discovery failed to find the IPA Server
Provide your IPA server name (ex:
root : DEBUG will use server:

root : DEBUG [ipadnssearchkrb]
root : DEBUG [ipacheckldap]
root : DEBUG args=/usr/bin/wget -O /tmp/tmpWptXwb/ca.crt -T 15 -t 2
root : DEBUG stdout=
root : DEBUG stderr=--2012-05-11 12:06:09-- Resolent ( S'està connectant a (||:80... conectat.
HTTP: Petició enviada, esperant resposta... 200 OK
Longitud: 1325 (1.3K) [application/x-x509-ca-cert]
S'està desant a: «/tmp/tmpWptXwb/ca.crt»

     0K . 100% 38.4M=0s

2012-05-11 12:06:09 (38.4 MB/s) - s'ha desat «/tmp/tmpWptXwb/ca.crt» [1325/1325]

root : DEBUG Init ldap with: ldap://
root : ERROR LDAP Error: Connect error: A TLS packet with unexpected length was received.
Failed to verify that is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.

Freeipa-users mailing list

Freeipa-users mailing list

<<attachment: milvaques_pas.vcf>>

Attachment: smime.p7s
Description: Signatura criptogràfica S/MIME

Freeipa-users mailing list

Reply via email to